An employee noticed unusual activity on a computer on September 25, 2012. It is possible that former and current members of the Waipahu Aloha Clubhouse had information on the computer that was remotely accessed by an unauthorized party. Names, Social Security numbers, dates of birth, addresses, phone numbers, and consumer record numbers dating back to 1997 may have been exposed. Though the Clubhouse services people living with severe and persistent mental illness, no medical records were exposed.

Information Source:PHIPrivacy.net

records from this breach used in our total: 0

January 7, 2014

Risk Solutions International LLC, Loudoun County Public SchoolsAshburn, Virginia

EDU

DISC

Unknown

Loudoun County school officials have responded to a data breach that made publicly available personal information about students and staff members, along with detailed emergency response plans for each school.

More than 1,300 links could be accessed through a Google search, thought to be password protected, unveiled thousands of detailed documents as to how each school in the district will respond to a long list of emergencies, which included the staging areas for response teams as well as where the students and staff would be located during an emergency.

Additional documents that could be accessed included students' courrse schedules, locker combinations, home addresses, phone numbers and birthdates along with the address and cell phone numbers for many school administrators.

The contractor Risk Solution International acknowledged that the breach was caused by "human error" on their part, which is said to be the cause of the data breach.

UPDATE: Loudoun County Public Schools administrators released a more detailed statement about the information made publicly available on the Internet due to errors committed by the contractor Risk Solutions International (RSI).

According to school officials, the investigation is continuing as to how the webpage, which was made accessible through online search engines without any password protection happened. The page included 1,286 links detailing information on 84 Loudoun schools. It is unknown how long the information was exposed or how many links were opened by unauthorized individuals.

Locker combinations were revealed for one school and only one parent contact information was revealed for fewer than 10 schools according to the spokesperson for the district. The statement also made clear that RSI's website was not hacked and that it never lost its password security. Instead, the breach occurred when RSI employees were doing technical testing on November 4th , December 19th and December 24th 2013. (1/9/2014)

Information Source:Media

records from this breach used in our total: 0

July 4, 2014

St. Vincent Breast CenterIndianapolis, Indiana

MED

DISC

63,000

St. Vincent Breast Center have announced that patient's health information may have been breached after the center sent around 63,000 letters to the wrong patients. The letters included patient names, addresses and in certain references to scheduled appointments. Reportedly no Social Security numbers, financial information or clinical information.

"St.Vincent Breast Center entered into an agreement with Indianapolis
Breast Center P.C. and Solis Women’s Health Breast Imaging Specialists
of Indiana P.C. after they both closed last year.

On May 5, St.Vincent Breast Center mailed letters intended for prior
patients of the Indianapolis Breast Center and Solis Women’s Health to
inform them that St.Vincent was available to provide care. Some letters
also welcomed patients who had previously scheduled healthcare services.

Officials said on May 15, people who had accidentally received another person’s letter began calling St.Vincent".

For those affected they can call 1-877-216-3862 from Monday through Friday 9:00 a.m. to 7:00 p.m.

Information Source:Media

records from this breach used in our total: 0

July 21, 2014

Dominion Resources Inc.Richmond, Virginia

BSO

HACK

1,700

Personal information of more than 1,700 people at Dominion Resources Inc. were compromised when unauthorized parties hacked the employee wellness plan. The hacker gained access via a subcontractor's system, StayWell Health Management LLC who runs Dominions "Well on Your Way" program which includes a health screening, to gain the information hacked.

The hacking actually occurred at a vendor Stay Well uses, Onsite Health Diagnostics, based in Irvine, Texas, that provideds the sign-up mechanism for "Well on Your Way's" health-screening appointments.

The information included individuals' names, addresses, email addresses, phone numbers, gender and dates of birth of employees, spouses and domestic partners who went online to schedul a health-screening appointment going back to 2012.

"Dominion Resources said the company was notified of the breach on June 24 but didn't learn the identities of those affected until July 7th. Dominion Resources is investigating why it took so long for the company to be notified. They are no longer using Onsite Health Diagnostics for scheduling".

Information Source:Media

records from this breach used in our total: 0

March 3, 2015

Toys "R" UsWayne, New Jersey

BSR

HACK

Unknown

Toys "R" Us contacted customers that their passwords to their reward program account would be reset in order to avoid an unauthorized attempts to their rewards program account.

The company communicated that those notified did not necessarily have their accounts accessed, however, the risk was higher due to the discovery by the company of "recycled login details used by some of its customers."

Between January 28th and January 30th, 2015, the company discovered a number of "illegal login attempts made to its Rewards "R" Us accounts." The current announcement is an additional security measure so that other customer accounts cannot be accessed in a similar way. "Out of an abundance of caution, we are therefore treating your account password as compromised and taking appropriate steps to address the situation," in a letter sent by the company to its customers.

Sensitive medical information was dumped outside of a DMV office. The medical information came from a eating disorder clinic that had recently closed. Patient information such as medical treatment and Social Security number was exposed. It is unknown how the information ended up in the dumpster.

According to their website: "On April 12, 2010, one of our laptop computers, which contained personal information, was stolen during a patient visit. The laptop had security measures in place, but there is a very small chance that protected information such as name, address, date of birth, Social Security number, insurance information, medications, treatment, and diagnoses may have been inappropriately accessed."

Information Source:Dataloss DB

records from this breach used in our total: 0

November 10, 2009

Obsidian Financial GroupWoodbury, New York

BSF

INSD

Unknown

A former employee broke into a Woodbury financial services company, photocopied customers' Social Security numbers and bank reference numbers and took the photocopied data with him when he left.

Information Source:Dataloss DB

records from this breach used in our total: 0

March 25, 2005

Purdue UniversityWest Lafayette, Indiana

EDU

HACK

1,200 (not included in total because news stories are not clear if SSNs or financial information were exposed)

Computers in the College of Liberal Arts' Theater Dept. were hacked, exposing personal information of employees, students, graduates, and business affiliates.

Information Source:Dataloss DB

records from this breach used in our total: 0

April 13, 2010

Virginia Beach Dept. of Social ServicesVirginia Beach, Virginia

GOV

INSD

Unknown

At least eight human services employees, including supervisors, have been fired or disciplined in the past year for wrongfully accessing confidential and personal information about former employees, family members and clients. The violations include a boss who forced her employees to gather information from a state database about her husband's child and a worker who checked on the status of a dead client's Medicaid benefits to help the client's family. Most of the cases stemmed from the agency's financial assistance department, which handles food stamps, Medicaid assistance, grants for the disabled and emergency relief for needy families. As part of their jobs, the 330 employees in the department who provide social services have varying degrees of access to secured databases. They need the information to determine whether a client qualifies for financial help.

Information Source:Dataloss DB

records from this breach used in our total: 0

November 17, 2009

Nebraska Workers' Compensation CourtOmaha, Nebraska

GOV

HACK

Unknown

Someone broke into a server that temporarily held injury reports. Whenever a worker has a job-related injury, a report is filed with the Workers' Compensation Court and the information is temporarily stored on that server. Personal information, including birth dates and Social Security numbers, would have been on the server.

Information Source:Dataloss DB

records from this breach used in our total: 0

June 4, 2005

Duke University Medical CenterDurham, North Carolina

EDU

HACK

14,000 (No reports of full SSNs or financial information)

A hacker broke into the computer system, stealing thousands of passwords and fragments of Social Security numbers. Fourteen thousand affected people were notified, including 10,000 employees of Duke University Medical Center.

Information Source:Dataloss DB

records from this breach used in our total: 0

May 30, 2005

MotorolaSchaumburg, Illinois

BSO

STAT

Unknown

Two computers were stolen from third party vendor Affiliated Computer Services (ACS). They had security safeguards and contained names and Social Security numbers of Motorola employees. Motorola notified affected staff by email and offered fraud insurance coverage.

Information Source:Dataloss DB

records from this breach used in our total: 0

July 6, 2005

City National Bank, Iron MountainLos Angeles, California

BSF

PORT

Unknown

Two tapes containing Social Security numbers, account numbers, and other customer information were lost or stolen during transportation. The tapes have been missing since April. City National Bank notified its customers.

Information Source:Dataloss DB

records from this breach used in our total: 0

August 30, 2005

JP Morgan Chase & Co.Dallas, Texas

BSF

PORT

Unknown

A laptop was stolen on August 8th. It contained
personal and financial account information of customers. Those affected were contacted.

Information Source:Dataloss DB

records from this breach used in our total: 0

September 23, 2005

Bank of AmericaCharlotte, North Carolina

BSF

PORT

Not disclosed

A laptop was stolen from a Bank of America service provider. Information such as names, account numbers, routing transit numbers, and credit card numbers were compromised by the theft. An unspecified number of Visa Buxx users were contacted by Bank of America.

ISU discovered a security
breach in a server containing archival information about students,
faculty, and staff, including names, Social Security numbers, birth dates, and grades. Anyone who was a student or employee between 1995 and 2005 could be affected.

Information Source:Dataloss DB

records from this breach used in our total: 0

December 12, 2005

Sam's Club, a division of Wal-Mart Stores, IncBentonville, Arkansas

BSR

UNKN

Unknown

Note: location is corporate headquarters, not necessarily the location of the breach.

Customers who used credit cards at the wholesaler's gas stations discovered fraudulent activity on their credit accounts. Sam's Club is unaware of how the information was stolen. Visa alerted the affected financial institutions and asked them to provide fraud monitoring services for the affected customers.

Information Source:Dataloss DB

records from this breach used in our total: 0

December 16, 2005

La Salle Bank, ABN AMRO Mortgage Group, DHLAnn Arbor, Michigan

BSF

PORT

[2,000,000]
Not included in total below.

A backup tape with residential mortgage customers' information was lost in shipment by DHL. It contained Social Security numbers and account information.

UPDATE (12/20/05): DHL found the lost tape.

Information Source:Security Breach Letter

records from this breach used in our total: 0

January 27, 2010

Department of CommerceWashington, District Of Columbia

GOV

DISC

Unknown

A Department of Commerce employee inadvertently transmitted over the Internet a file containing the Personally Identifiable Information (PII) of Commerce employees to other Department employees. Although the Department employees were authorized to send and receive the PII, the transmission of the PII over the Internet in unencrypted form may have compromised their name and Social Security numbers.

Information Source:Dataloss DB

records from this breach used in our total: 0

January 2, 2006

H&R BlockKansas City, Missouri

BSO

DISC

Unknown

H&R Block included Social Security numbers in a 40-digit
number string on mailing labels. Affected individuals were contacted.

Information Source:Dataloss DB

records from this breach used in our total: 0

January 17, 2006

City of San Diego, Water & Sewer DepartmentSan Diego, California

GOV

INSD

Unknown

A dishonest employee accessed
customer account files, including Social Security numbers, and stole the identities of two individuals.

Hackers may have accessed Social
Security numbers, credit card information and check images of people who donated to the University between November 22 of 2005 and January 12 of 2006.

Information Source:Dataloss DB

records from this breach used in our total: 0

October 14, 2010

CitibankFlorence, Kentucky

BSF

INSD

Unknown

Three women have been charged for their roles in defrauding clients of a Citibank in Florence, KY. At least two of the women were employees of Citibanks in other states. One woman stole customer credit card account numbers and changed their addresses, while another used the information to make purchases in another state. The third woman assisted in collecting the purchased goods. The fraud began at the end of 2006 and two of the women were arrested in March of 2007.

Three hard drives containing
clients' names, Social Security numbers, addresses and phone numbers
stolen during a break in. Information on the drives was protected via password and security software. The business owner sent letters to his clients alerting them of the theft.

Information Source:Dataloss DB

records from this breach used in our total: 0

March 8, 2006

Verizon CommunicationsNew York, New York

BSO

PORT

Unknown

Two laptops containing
employees' personal information including Social Security numbers were stolen. Verizon is offering affected employees free use of a credit monitoring service.

Information Source:Dataloss DB

records from this breach used in our total: 0

March 8, 2006

iBill [disputed]Deerfield Beach, Florida

BSF

UNKN

17,781,462 (SSNs and financial information not involved)

A dishonest insider or possibly
malicious software linked to iBill was used to post names, phone numbers,
addresses, e-mail addresses, Internet IP addresses, login names and passwords,
credit card types and purchase amount online. Credit card account
numbers, expiration dates, security codes, and Social Security numbers were NOT included,
but in our opinion the affected individuals could be vulnerable to
social engineering to obtain such information. Whether iBill is the source of the breach has been disputed.

Information Source:Dataloss DB

records from this breach used in our total: 0

March 11, 2006

California Department of Consumer Affairs (DCA)Sacramento, California

GOV

PHYS

Unknown

Mailed applications
of DCA licensees or prospective licensees for CA state boards and
commissions were stolen. The forms include full or partial Social
Security numbers, driver's license numbers, and potentially payment
checks.

Information Source:Dataloss DB

records from this breach used in our total: 0

November 6, 2009

MassMutualSpringfield, Massachusetts

BSF

HACK

Unknown

According to MassMutual, a "limited amount" of personal employee information maintained in a database by an outside vendor may have been subject to unauthorized access. The vendor engaged a forensics team to investigate, and at this time they believe that no misuse of the information or fraudulent activity involving the data has occurred. This database does not include client or field representative information; it also did not contain personal Social Security or bank account information, according to the company.

Information Source:Dataloss DB

records from this breach used in our total: 0

March 14, 2006

Buffalo Bisons and Choice One OnlineBuffalo, New York

BSO

HACK

Unknown

A hacker accessed sensitive
financial information including the credit card numbers names, and passwords
of customers who ordered items online. The Bisons mailed letters to affected customers and notified American Express, MasterCard, Discover, and Visa.

Information Source:Dataloss DB

records from this breach used in our total: 0

November 20, 2009

University Medical CenterLas Vegas, Nevada

MED

INSD

Unknown

Someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries. Private information about accident victims treated at University Medical Center has apparently been leaking for months; allegedly so ambulance-chasing attorneys could mine for clients.

UPDATE(4/29/10): A man was indicted today by a federal grand jury in an alleged conspiracy to pay a University Medical Center employee for private information about traffic accident victims that was used to drum up clients. The man was indicted on one count of conspiracy to illegally disclose personal health information, in violation of the Health Insurance Portability and Accountability Act, better known as HIPAA. Between January and November 19, 2009 the man allegedly conspired with people, including a UMC employee, to use hospital "face sheets" to solicit personal injury cases for attorneys. The UMC employee faxed the registration sheets of trauma patients to the man on at least 55 occasions and was paid about $8,000, the indictment said. The U.S. Attorney's press release said the man has been summoned for a May 14 hearing. If convicted, he faces up to five years in prison and a $250,000 fine.

UPDATE (5/11/2011): A man responsible for the breach was sentenced to 33 months in prison and three years of supervised release. He had been charged with conspiracy to illegally disclose personal health information.

TAD Gear recently learned that their database was illegally accessed from an external source, and it appears that some customer data was taken, which may include customer names, contact information and credit card data. The possibility of a security breach came to their attention when certain customers notified them that unauthorized charges had appeared on their credit cards. Upon learning of the potential breach of security, TAD Gear immediately initiated an investigation, and took corrective steps.

Information Source:Dataloss DB

records from this breach used in our total: 0

November 21, 2009

Notre Dame UniversityNotre Dame, Indiana

EDU

DISC

Unknown

Notre Dame is warning university employees to keep an eye on their bank accounts after a security breach. Personal information of some past and current employees - including name, Social Security number and birth date - was accidentally posted onto a public website. The error was corrected and the information removed from the website.

Information Source:Dataloss DB

records from this breach used in our total: 0

November 24, 2009

ACORNSan Diego, California

BSO

DISC

Unknown

Documents that contained personnel information were accidentally thrown away in a dumpster. San Diego staff members were doing an office clean-up in preparation for a major 10-station phone bank program being set up in their offices; it appears that included in the piles of garbage being thrown out there were some documents containing private information.

Information Source:Dataloss DB

records from this breach used in our total: 0

March 30, 2010

Three Rivers Community CollegeNorwich, Connecticut

EDU

HACK

Unknown

Three Rivers Community College may have suffered a security breach due to unauthorized access to its computer network. Data made vulnerable in the breach included names and Social Security numbers. Those affected would have been involved in the following programs during these years: 1997-2009: Participants in the Real Estate programs2004-2009: Participants in the Life Long Learners programs 2003-2006: Participants in the Patient Care Technicians programs2004-2006: Participants in the Certified Nursing Assistant programs2004-2005: Participants in the Electric Boat academic programs2007-2008: Participants in the Bridges to Health Care Careers programs2006-2008: Participants in the Photons for Educators programs2004-2009: Faculty or staff members of the Three Rivers Continuing Education office.

Information Source:Dataloss DB

records from this breach used in our total: 0

November 29, 2009

Salem Housing and Community ServicesSalem, Oregon

GOV

DISC

Unknown

Sloppy handling of confidential records by a state agency in Salem left people's names, Social Security numbers, ages and addresses exposed in an open recycling bin outdoors. In a separate security lapse by another state agency, confidential records with the names and Social Security numbers of former state parks and recreation employees landed in the same recycling bin.

Information Source:Dataloss DB

records from this breach used in our total: 0

April 28, 2006

Ohio Secretary of StateCleveland, Ohio

GOV

DISC

Potentially millions
of registered voters

The names, addresses, and
Social Security numbers of potentially millions of registered voters
in Ohio were included on CD-ROMs distributed to 20 political campaign
operations for spring primary election races. The records of about
7.7 million registered voters are listed on the CDs, but it's unknown
how many records contained Social Security numbers, which were not supposed to have been
included on the CDs.

UPDATE (9/15/06):
A news report said that some Social Security numbers still remain on the agency's Web
site.

Information Source:Dataloss DB

records from this breach used in our total: 0

May 2, 2006

Georgia State GovernmentAtlanta, Georgia

GOV

STAT

Unknown

Government surplus computers
that sold before their hard drives were erased contained credit card
numbers, birth dates, and Social Security numbers of Georgia citizens. The State stopped selling the computers after being notified by a buyer. Thousands of patient records from a psychiatric hospital in Rome, Georgia were found on one computer's hard drive.

Information Source:Dataloss DB

records from this breach used in our total: 0

May 4, 2006

Idaho Power CompanyBoise, Idaho

BSO

PORT

Unknown

Four company hard drives
were sold on eBay containing hundreds of thousands of confidential
company documents, employee names and Social Security numbers, and
confidential memos to the company's CEO.

A computer was compromised that hosted a variety of Web-based forms, including some that processed
online business transactions. Although this computer was not set
up to store personal information, investigators did discover files
that contained fragments of personal information, including Social
Security numbers. The data is fragmentary and it is not certain if
the compromised information can be traced to individuals. Also found
on the computer were 12 credit card numbers that were used for event
registration.

Information Source:Media

records from this breach used in our total: 0

May 5, 2006

Wells FargoSan Francisco, California

BSF

STAT

Unknown

A computer containing names,
addresses, Social Security numbers and mortgage loan deposit numbers
of existing and prospective customers may have been stolen while being
delivered from one bank facility to another.

Information Source:Dataloss DB

records from this breach used in our total: 0

May 17, 2006

M &T Bank via contractor PFPCBuffalo, New York

BSF

PORT

Unknown

A laptop computer, owned
by PFPC, a third party company that provides record keeping services
for M & T's Portfolio Architect accounts was stolen from a vehicle.
The laptop contained clients' account numbers, Social Security numbers,
last name and the first two letters of their first name.

Information Source:Security Breach Letter

records from this breach used in our total: 0

May 24, 2006

Sacred Heart UniversityFairfield, Connecticut

EDU

HACK

Unknown

It was discovered on May
8th that a computer containing personal information including names,
addresses and Social Security numbers was breached. The University did not immediately release information on who the breach affected.

Information Source:Dataloss DB

records from this breach used in our total: 0

December 15, 2009

RockYouRedwood City, California

BSR

HACK

32 million (No SSNs or financial information reported)

The security firm Imperva issued a warning to RockYou that there was a serious SQL Injection flaw in their database. Such a flaw could grant hackers access to the service's entire list of user names and passwords in the database. Imperva said that after it notified RockYou about the flaw, it was apparently fixed over the weekend. But that's not before at least one hacker gained access to what they claim is all of the 32 million accounts; 32,603,388 to be exact. The database included a full list of unprotected plain text passwords and email addresses.

UPDATE (4/21/2011): The 32 million email addresses and passwords exposed include log in information from social networking sites like Facebook and MySpace.

On April 18, 2011 a court ruled that the loss of information caused injury. The court determined that "the unauthorized disclosure of personal information via the Internet is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts." The court also found that RockYou.com's privacy policy language, which stated that RockYou.com's servers were secure, did not automatically preclude the plaintiff's allegation that a contract had been breached because the plaintiff alleged that the servers were not secure.

UPDATE (3/27/2012): The Federal Trade Commission is alleging that RockYou violated the Children's Online Privacy Protection Act Rule (COPPA Rule) by collecting information from approximately 179,000 children. A proposed FTC settlement order requires RockYou to pay a civil penalty of $250,000 to settle COPPA charges. In addition to the penalty, the company would be barred from future deceptive claims regarding company privacy and data security, required to implement and maintain a data security program, and barred from future violations of the COPPA rule.

Information Source:Databreaches.net

records from this breach used in our total: 0

May 30, 2006

Florida International UniversityMiami, Florida

EDU

HACK

Unknown

Hacker accessed a database
that contained personal information on thousands of individuals, such as student and applicant
names and Social Security numbers.

The theft of a laptop exposed applications for study abroad students. Names and Social Security numbers were exposed. An unknown number of NH residents were affected.

Information Source:Dataloss DB

records from this breach used in our total: 0

January 27, 2010

University of California, San Francisco (UCSF) School of MedicineSan Francisco, California

MED

PORT

7,300 (No SSNs or financial information reported)

A laptop containing files with information on 4,400 patients was stolen from a
UCSF School of Medicine employee. Information “potentially exposed” included
name, medical record number, age and clinical information, but the stolen laptop
did not contain any Social Security numbers or other financial data. The same
laptop also contained data for approximately 2,900 patients at Beth Israel
Deaconess Medical Center in Boston

Information Source:Dataloss DB

records from this breach used in our total: 0

Breach Total

815,842,526 RECORDS BREACHED(Please see explanation about this total.)from 4,489 DATA BREACHES made public since 2005